Skip to content

feat(initial release)#2

Merged
alxxjohn merged 36 commits into
mainfrom
newfeatures
Jun 16, 2026
Merged

feat(initial release)#2
alxxjohn merged 36 commits into
mainfrom
newfeatures

Conversation

@alxxjohn

Copy link
Copy Markdown
Contributor

No description provided.

alxxjohn and others added 30 commits June 11, 2026 16:21
Extend the TypeScript semantic runner with summary-based taint tracking
across module boundaries:

- Per-function taint summaries (param->sink, param/source->return),
  memoized and cycle-safe via a two-pass fixed point for recursion
  cycles between modules.
- Sources: req/request query, body, params, headers, cookies, and
  process.argv. Sinks: SQL query/execute, child_process exec, eval and
  new Function, HTML injection sinks, fetch URLs.
- Import resolution through the TypeChecker alias graph covers named,
  default, and namespace imports, re-export chains, barrel files, and
  method calls on imported objects; async returns propagate through
  await.
- Sanitizer awareness: parameterized query signatures, encodeURIComponent
  for URL sinks, and escape/sanitize helper naming stop propagation.
- Findings report the full cross-file chain, e.g. "request query
  (src/routes.ts:3) -> runQuery arg (src/routes.ts:3) -> pool.query sink
  (src/db.ts:4)".
- Chain depth capped by securityRules.typescript_taint_max_depth
  (default 8, -1 disables); truncation emits a debug note. node_modules
  and declaration files are skipped.
- New rules security.typescript.taint-flow / security.javascript.taint-flow.
- Integration tests: positive cross-file flow, re-export chain,
  sanitized flows (negative), module cycle, depth cap, and single-file
  stability.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Adds a new 'contracts' section with four rules, primarily active in diff
mode (base ref vs working tree):

- contracts.go-exported-breaking (fail): parses base (git show) and head
  Go files with go/ast and flags removed/renamed exported funcs, methods,
  types, and consts, plus changed exported function signatures.
- contracts.openapi-breaking (fail): compares base vs head OpenAPI/Swagger
  documents for removed paths, operations, and response codes, and newly
  required parameters and request body fields.
- contracts.proto-breaking (fail): text-parses .proto files and flags
  removed messages/services/rpcs and removed, renumbered, or retyped
  fields.
- contracts.migration-destructive (warn): flags DROP TABLE/COLUMN,
  TRUNCATE, drop_table()/drop_column(), and ALTER ... NOT NULL without
  DEFAULT in migration files (new files only in diff mode, all migration
  files in full scans).

Wiring follows the existing check-family pattern: rule catalog entries,
contract_rules config knobs with defaults and validation, and a
checks.contracts toggle that defaults to on in diff mode and is enabled
unconditionally by the strict and enterprise profiles. Base-comparison
rules no-op gracefully in full scans.

Also extends the diff scope parser so findings on deleted files survive
diff filtering, and exposes ScanMode/ListChangedFiles/ReadBaseFile to
check implementations.

Integration tests exercise each rule against real git fixtures.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
- Generic module graph + Tarjan SCC shared across languages
- Import cycle rules for TypeScript/JavaScript, Rust, and Java
- design.god-module fan-in/fan-out rule for Go, Python, TS/JS, Rust, Java
- Diff-mode change-impact artifact and design.high-impact-change rule
- quality.n-plus-one-query for Go (go/ast), TS/JS, and Python
- quality.go.alloc-in-loop for string growth and non-preallocated appends
- TS sync-IO-in-handler and unbounded-concurrency, Python sync-in-async
- Config toggles + thresholds, catalog entries, integration tests

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
…mplates

- Native Anthropic Messages API client in ai/runtime and ai/triage with
  provider selection "anthropic" via CODEGUARD_AI_TRIAGE_PROVIDER or
  ai.provider config; CODEGUARD_AI_TRIAGE_API_KEY with ANTHROPIC_API_KEY
  fallback; model defaults to claude-sonnet-4-6
- Shared httpretry package: exponential backoff with jitter on 429/5xx/
  network errors, Retry-After support, CODEGUARD_AI_MAX_RETRIES (default 3)
  and CODEGUARD_AI_RETRY_BASE_DELAY; wired into all HTTP providers; scans
  degrade gracefully on provider failure
- Per-verdict caching for natural-language rules keyed on SHA1 of rule
  fingerprint, runtime fingerprint, file path, content hash, and prompt
  version, stored as nl_rule_verdicts in the scan cache
- FixTemplate rule metadata with concrete before/after templates for 20
  rules, surfaced through explain --format=agent and the MCP explain tool
- Keep provider-flavored config defaults from leaking across provider types
- Tests: httptest-backed provider/retry coverage, runtime-invocation-count
  cache test, fix-template assertions; docs/ai-quality.md updated

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
- quality.coverage-delta: opt-in diff-mode check gating changed-line test
  coverage. Go targets run go test -coverprofile for packages containing
  changed files; other languages run a configured coverage command and
  parse its lcov report. Configurable warn threshold (default 60) and
  optional fail_under escalation.
- ci.test-without-assertion / ci.always-true-test-assertion /
  ci.conditional-assertion: regex-based test quality rules for Go,
  Python, TypeScript, and JavaScript test files, with configurable
  custom assertion helper names.
- Plumb diff scope (changed line ranges) and scan mode into the check
  context so checks can intersect findings with changed lines.
- Config: quality_rules.coverage_delta and ci_rules.test_quality with
  defaults, validation, SDK aliases, and docs in docs/checks.md.
- Tests: end-to-end diff-mode coverage scans against real temp git
  repos (Go path runs go test on a fixture module), lcov parser unit
  tests, and positive/negative fixtures for the assertion rules.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
…op history

- quality.ai.hallucinated-import now covers Python: imports resolve against
  an embedded py3.11+ stdlib list, declared deps (requirements*.txt,
  pyproject.toml project/poetry tables, setup.py/setup.cfg) with PEP 503
  name normalization and a known import-name aliases map (PIL/pillow,
  yaml/pyyaml, cv2/opencv-python, ...), and local modules on disk.
- quality.ai.dead-code goes beyond constant-false: statements after
  unconditional return/raise/throw/break/continue (Go via go/ast, TS/JS and
  Python via conservative lexical analysis) and unused private functions
  (Go package-wide via go/ast, file-local for Python/TS/JS).
- New consistency rules mirroring the idiom-drift pattern:
  quality.ai.error-style-drift (Go wrapping style, Python bare except,
  TS raw Error vs custom error classes) and quality.ai.naming-drift
  (snake_case vs camelCase vs repo-dominant convention).
- Slop-score trend history persisted per scan under the cache directory
  (cache.slop-history.json, capped per target), previous score and delta
  surfaced on SlopScoreArtifact, and a new `codeguard report -slop-history`
  command that prints the trend.
- Catalog entries, slop weights, quality_rules.ai_checks config toggles,
  validation, SDK facade helpers, and integration tests.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
…t analysis

Deepen the Python and C-like (TS/JS, Java, Rust) parsers from function-boundary
tokenizers into lightweight ASTs: byte-preserving lexers that mask comment and
string contents while keeping offsets/newlines intact, logical-statement
structure, per-function symbol tables (params + local assignments), import
extraction, and call resolution. Migrate quality function-metrics (Python, TS,
Java, Rust) and security line rules onto the structured parsers/masked lines to
cut false positives from code-like text inside strings and comments.

Add real intra-file, cross-function taint analysis:
- security.taint.go: go/ast + scope tracking. Sources: *http.Request fields,
  os.Getenv, os.Args, bufio stdin. Sinks: exec.Command(Context), db
  Query/Exec/QueryRow, os file APIs, template Parse. Propagates through
  assignment/aliasing/Sprintf/concat; strconv parsing untaints.
- security.taint.python: parser-based dataflow. Sources: input(), os.environ,
  sys.argv, web request attrs. Sinks: os.system/popen, subprocess (shell=True
  or string cmd), eval/exec, cursor.execute. shlex.quote / int / float and
  parameterized query args untaint.

Findings embed the source->sink chain. New config toggles TaintGo/TaintPython
(default on), catalog entries, and tests under tests/ including negative
sanitized cases.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
…e expansion, style/naming drift, slop history
alxxjohn added 6 commits June 12, 2026 14:16
…maintainability fixes

- alloc-in-loop: append-prealloc nag now behind detect_prealloc_in_loop (default off); string-concat detection stays on
- test-without-assertion: credit assert/require/expect/verify/must/check helper calls; exempt helper-process tests
- error-style-drift: direction-aware, never flags adoption of %w wrapping
- dedupe 17 real clone pairs (shared cachefile pkg, triage/runtime HTTP helpers, RunTargetSection, unified metric extraction, shared source masker)
- split oversized files, simplify complex funcs, remove dead code
@alxxjohn
alxxjohn merged commit c699cf5 into main Jun 16, 2026
7 checks passed
@alxxjohn
alxxjohn deleted the newfeatures branch June 16, 2026 17:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant